Geoscientific research agency Geoscience Australia was vulnerable to cyber attacks and its ICT general controls were not sound, a report from the Australian National Audit Office (ANAO) revealed.
The report named DXC Technology as Geoscience Australia’s contracted ICT service provider, and is responsible for maintaining the security of ICT environment, including patch management.
“While DXC is responsible for ICT operations and security, Geoscience Australia remains accountable for its ICT security, including the administration and oversight of the service level agreement with DXC,” the report said.
The ANAO audits a pre-selected group of government agencies to find out if they are complying with the Australian Signals Directorate’s list of eight cybersecurity directives, the Strategies to Mitigate Cyber Security Incidents.
Four of the eight strategies — application whitelisting, patching applications, patching operating systems, and minimising privileged user access — are mandatory. The other four are disabling untrusted Microsoft Office macros, user application hardening, multi-factor authentication, and daily backup of systems and data.
The ANAO recommended that Geoscience Australia should establish a plan and timeframe to achieve compliance with the four strategies and to monitor delivery against that plan.
It also recommended that the Attorney-General’s Department, Department of Home Affairs and Australian Signals Directorate work together to improve compliance by providing technical guidance to government entities to help accurately self-assess compliance, develop a program for verifying entities’ reported compliance with the mandatory cyber security requirements, and increase transparency and accountability about entities’ compliance with those requirements.
“Geoscience Australia welcomes this report and agrees with the two recommendations. We agree that the report is an accurate assessment of our compliance at the time of the audit,” Geoscience Australia said.
“We have already commenced actions to improve compliance to address the security issues identified including: the engagement of a senior consultant to advise on an overarching security framework; the establishment of a Security Working Group; and an action plan to address compliance with the strategies.”
Joining Geoscience Australia in the audit was the Department of the Treasury and National Archives of Australia.
The audit found that only the treasury was compliant with the four strategies and was cyber resilient, while National Archives was found to be non-compliant but had sound ICT general controls and was ruled internally resilient.
However all three did not comply with the non-mandatory strategies.
“As with the ANAO’s previous audits of cyber security, this audit identified relatively low levels of effectiveness of Commonwealth entities in managing cyber risks, with only one of the three audited entities compliant with the four mitigation strategies,” the report read.
“None of the three entities had implemented the four non-mandatory strategies and were largely at early stages of consideration and implementation.”
“These findings provide further evidence that the implementation of the current framework is not achieving compliance with cyber security requirements, and needs to be strengthened.”
DXC, which was CSC Australia at the time, won the $20 million deal to update technology at Geoscience Australia in 2016, partnering with HDS, ServiceNow, AT&T and other global vendors to provide services, hardware and software.